Bryan is right in his analysis, even if we support adding such users, the split on "," during policy creation will be an issue.
I think the right solution would be to use the transformation feature implemented by *@Sailaja* in https://issues.apache.org/jira/browse/RANGER-684. Thanks. On Thu, May 5, 2016 at 2:59 AM, Sailaja Polavarapu < [email protected]> wrote: > We currently have a username/groupname transformation feature implemented > for LDAP sync (https://issues.apache.org/jira/browse/RANGER-684). May be > we can do similar changes for File source sync or move the name > transformation logic to common location for all sync sources. > Few things to consider when we implement name transformation logic to File > source - > 1. For non Json files, provide a delimiter that is not part of the > transformation logic in order to distinguish between usernames & groupnames > while reading from the input file. > 2. Apply same transformation logic while sending any authorization > requests to ranger with username and/or groupname > 3. Apply same transformation logic if using other services like solr, > kafka, etc… > > Thanks, > Sailaja. > > > > > On 5/4/16, 2:03 PM, "Bryan Bende" <[email protected]> wrote: > > >I don't think this one has a server side fix... > > > >We can fix the user sync to remove email validation (RANGER-968), and we > >can change the UI to allow DNs on user creation(RANGER-967)... > > > >But in either case, we can't create a policy through the UI when the > >username is a DN. The REST API may work, but there has to be something > user > >facing. > > > >Do you view this as another JIRA? or maybe I'm trying to force something > >that wasn't intended to work? > > > > > >On Wed, May 4, 2016 at 4:03 PM, Don Bosco Durai <[email protected]> wrote: > > > >> Gautam might be the right person to answer UI related questions. > >> > >> If server side fix will unblock you, then I will suggest that you should > >> fix it for the time being. We can ask Gautam to look into the UI side. > >> > >> > >> > >> Thanks > >> > >> Bosco > >> > >> > >> On 5/4/16, 12:02 PM, "Bryan Bende" <[email protected]> wrote: > >> > >> >All, > >> > > >> >I started looking at this ticket because I initially thought it would > be > >> >straight forward... > >> > > >> >In UserForm.js I changed the regex validator from > >> [a-z0-9][a-z0-9,._\-'+/@] > >> > to [a-z0-9][a-z0-9,._\-'+/@= ] which allowed "=" and spaces. That > allowed > >> >me to enter a DN as a user name. > >> > > >> >The next issue is that when creating a policy for that user, the value > of > >> >the users field is split on commas, so a single DN with commas ends > being > >> >submitted as several users that don't exist, and prevent the policy > from > >> >being created. > >> > > >> >This happens in RangerPolicyForm.js with this code: > >> > > >> >if(!_.isUndefined(m.get('userName')) && !_.isNull(m.get('userName'))){ > >> > policyItem.set("users",m.get("userName").split(',')); > >> >} > >> > > >> >I have a feeling this can't easily be changed because it is how > multiple > >> >selected users are being stored behind the scenes. > >> > > >> >Does anyone have any thoughts on what else would need to be changed to > >> >allow a username with commas in it? > >> > > >> >Thanks, > >> > > >> >Bryan > >> > > >> > > >> >On Wed, May 4, 2016 at 1:07 PM, Bryan Bende (JIRA) <[email protected]> > >> wrote: > >> > > >> >> > >> >> [ > >> >> > >> > https://issues.apache.org/jira/browse/RANGER-967?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel > >> >> ] > >> >> > >> >> Bryan Bende updated RANGER-967: > >> >> ------------------------------- > >> >> Fix Version/s: 0.6.0 > >> >> > >> >> > Allow additional characters in username > >> >> > --------------------------------------- > >> >> > > >> >> > Key: RANGER-967 > >> >> > URL: > https://issues.apache.org/jira/browse/RANGER-967 > >> >> > Project: Ranger > >> >> > Issue Type: Improvement > >> >> > Reporter: Bryan Bende > >> >> > Assignee: Bryan Bende > >> >> > Priority: Minor > >> >> > Fix For: 0.6.0 > >> >> > > >> >> > > >> >> > Currently the Username field on the Create User form in the UI > >> performs > >> >> validation that restricts the value to: > >> >> > [a-z0-9][a-z0-9,._\-'+/@]+ > >> >> > I'd like to be able to add a DN as a username such as: > >> >> > CN=localhost, OU=My Org, O=Apache, L=Santa Monica, ST=CA, C=US > >> >> > I believe this would require adding "=" and spaces as valid > >> characters. > >> >> > >> >> > >> >> > >> >> -- > >> >> This message was sent by Atlassian JIRA > >> >> (v6.3.4#6332) > >> >> > >> > >> > -- Regards, Gautam.
